News, Media, Blogs

New Safe Harbor Process for Transfer of Personal Data Between US and EU

If your company does business in Europe — including by selling products or services or by employing or collecting information about European residents — and transfers information or data to the US, you must comply with new EU laws and regulations regarding the protection and transfer of personal data. As of August 1, 2016, companies can register for the Privacy Shield program, which provides a safe harbor process for complying with EU requirements for the transfer of personal data from the EU to the US.

The Privacy Shield program is approved by the European Commission as a method for complying with EU law on data protection, and companies that sign up for the Privacy Shield program are deemed to provide adequate protection for the transfer of data. The Privacy Shield program replaces the Safe Harbor Framework, which is no longer recognized as adequate to comply with EU law. If your company formerly complied with EU law by implementing the Safe Harbor Framework, it is important that you register for and implement the Privacy Shield program immediately.

The Privacy Shield program is jointly administered by the United States Department of Commerce and the European Commission. By registering for the program, companies must certify that they will comply with certain privacy principals and adopt minimum protections regarding personal data, such as:

— adopting a written privacy policy containing a declaration of the company’s commitment to the Privacy Shield principles;
— providing written notice to individuals about the use of their personal information and about any data breaches;
— informing individuals about their right to access their own personal data and the company’s obligation to disclose personal information in response to lawful request by public authorities;
— providing free resolution of disputes, typically through arbitration or mediation, regarding personal data;
— limiting the transfer, access to and retention of personal data;
— entering into written contracts with any third party data processors;
— implementing reasonable measures to ensure that data is adequately protected from unauthorized access or disclosure; and
— taking reasonable steps to prevent, stop and remediate unauthorized access to or processing of data.

Although participation in the Privacy Shield program is voluntarily, a company may violate US law if it fails to follow its own policies and procedures regarding the protection and transfer of personal information. Thus, a company must carefully plan, implement and observe its data protection policies and procedures in order to maintain compliance with US and EU law.

New York

Email Disclaimer

If you are not already a client of Tucker Arensberg Attorneys, we cannot represent you until we confirm that doing so would not create a conflict of interest and is otherwise consistent with the policies of our firm. Accordingly, please do not include any confidential information until we verify that the firm is in a position to represent you and our engagement is confirmed in a letter. Prior to that time, there is no assurance that information you send us will be maintained as confidential. Thank you.